Ep. 2: Why It’s Time to Trust in Digital Trust, Part 1

Summary

Digital trust is a key component in the race for digital transformation. Yet many enterprises don’t seem to have gotten the message, according to a recent global survey of business leaders and IT pros. We’ll cover the stats (98% say digital trust is important, but only 57% offer training in trust) and the solutions (from securing the supply chain to protecting data privacy) with experts from ISACA, the Information Systems Audit and Control Association.

HOST: Melissa Bischoping, director of endpoint security research, Tanium
GUESTS: David Samuelson, [former] CEO, and Chris K. Dimitriadis, chief global strategy officer, ISACA

Production note: At the time of this recording, Samuelson served as ISACA’s CEO. He has since left the organization. Tracey Dedrick is currently ISACA’s interim CEO.

Show notes

Check out ISACA’s survey and resources on digital trust, and these articles in Focal Point, Tanium’s new online cyber news magazine.

• ISACA’s State of Digital Trust 2022 report
• ISACA Digital Trust Resources
• What the Tech Sector Can Learn From TikTok: Trust Is Everything
• Digital Transformation Requires Security Transformation

Transcript

The following interview has been edited for clarity.

David Samuelson: Digital trust is a journey, and that trust must be assured and earned every day with every digital interaction. That’s kind of old-fashioned in a way. I mean, every day you have to earn the trust of your customer. So this is not a one-and-done goal.

Melissa Bischoping Enterprises worldwide are competing in the race for digital transformation, but there are significant security gaps between what enterprises are doing and what they should do to establish leadership and earn their customers’ trust in the future digital ecosystem. A new global survey of 2,755 business and information technology professionals has found that while 98% say digital trust is important, only 12% have a dedicated role to ensure success.

Hi, I’m Melissa Bischoping, director of endpoint security research at Tanium. Joining me today to explain what digital trust is and why it matters are David Samuelson, the CEO of ISACA, the international professional association focused on IT governance; and Chris Dimitriadis, its chief global strategy officer. They’re with us today to discuss ISACA’s State of Digital Trust 2022 survey. David and Chris, welcome.

Samuelson: Thanks for having us.

Chris Dimitriadis: Thank you, Melissa.

Bischoping: Let’s get started with the term digital trust. Some of our listeners may not necessarily be familiar, so let’s level-set on what exactly is digital trust and why it’s important.

Samuelson: It’s a great question. I think everybody in the world understands the concept of digital trust because we’re all connected in so many ways—many more ways than we ever have been. But we actually have a definition of digital trust, from having worked with all of our digital trust professionals. We have 170,000 members in 180 countries around the world, and we define it as the confidence in the relationship and transactions among providers and consumers within an associated digital ecosystem.

Chris, maybe you can talk about some of the top benefits that organizations experience when there’s higher levels of trust.

Dimitriadis: Absolutely, and this comes from our survey that we conducted this year. Of the people we surveyed, 66 percent, a majority, said that positive reputation is one of, or maybe the top benefit of implementing digital trust. Fewer privacy breaches, fewer cybersecurity incidents, and more reliable data for decisions, stronger customer loyalty, which is very, very important for a business or organization to be successful. And faster innovation. These are a few more of the top benefits that organizations and businesses can enjoy through digital trust.

Bischoping: These are great points. You know, in any business, you want to build trust with your consumers about your brand, about your product, about its quality, but also, having that digital trust that their information is being handled safely and that you’re following good practices definitely leads a customer to be more interested in continuing to do business with you.

Samuelson: That’s right. And, you know, we’re an association, historically, of digital trust professionals who work, in their organizations, across very key domains like assurance, IT governance, risk management, cybersecurity, and privacy and quality across the domains that we serve. So digital trust is kind of in our DNA.

Bischoping: Absolutely. And I love that you put quality in there as well, because I think that when we talk about cybersecurity as a profession and as a field, and when we talk about governance, quality sometimes gets forgotten when we’ve got vulnerabilities to patch and we’ve got controls to implement. But quality is also important because it’s the quality of the experience for the user and the customer, but also the quality of your data and how you’re securing your environment. So I love that you put that in there.

So let’s talk about the report itself. What are some of the key takeaways? What are the main conclusions you’re able to draw from the report?

Samuelson: There are several, but there are five that sort of stick out—I think Chris and I can go back and forth on this. One is that it’s critical that enterprises earn the trust of their stakeholders every day and with every interaction. And while every employee has a role, an organization’s senior executive team has the primary responsibility to support and prioritize digital trust so that it drives digital innovation and transformation.

And often these IT controls and governance and risk attributes that our professionals work with, they get lost when you talk about the people side. The whole organization really needs to understand the concept that trust is important in a digital ecosystem. So I think that’s a key takeaway.

What are the key takeaways for you, Chris?

Dimitriadis: I think a second key takeaway from the survey is the fact that digital trust is dependent on many different parameters: quality, availability, cybersecurity, privacy, and also ethics—I mean, overall integrity. So we need to realize that digital trust can only be born, can only be created, through the collaboration of all of those adjusting domains.

And this is why it’s hugely important to make sure that we have the right training operations in place for the people to be able to collaborate better and to help an organization, a digital ecosystem, achieve a higher maturity in digital trust.

Samuelson: This is something we realized by listening to our members who are in these different domains, talk to one another. They realize that while cybersecurity and a silo is critically important, as is risk or assurance, it’s actually the collaboration that’s going to achieve something like digital trust. And digital trust is a business term in the sense that we all want a trusted ecosystem to engage with. So that was number two.

Number three is that senior executives have to clearly define and prioritize and align digital trust throughout the organizations. And that means that there needs to be training and there needs to be alignment with organizational goals, and there needs to be budget and staffing for these kinds of things. So leadership support is critical.

Bischoping: And David, you mentioned senior executives have the responsibility of defining and prioritizing, and I could not agree with that more. What do you think the biggest challenge is with that? Where’s the disconnect between those senior leaders and the rest of the business to get that translation and that definition across the enterprise?

Samuelson: It’s a great question, because as a senior leader in an organization with about 350 employees, I view these kinds of trust attributes as senior management’s job. And when we delegate to individuals like the IT governance guy or the risk person, or the woman who’s in charge of cyber, you sometimes can forget that you need to socialize that with the rest of employees.

Marketing people have to understand the value of digital trust. And when you talk about it as digital trust, they’re more likely to understand it. HR needs to understand, so when they’re onboarding people, there’s an understanding that how we treat our customers, with transparency and ethically, is going to matter in terms of our success as a business. That’s why I think it’s everyone’s job.

Bischoping: Awesome. So that was the third takeaway. What about number four and five?

Dimitriadis: I can take number four: maybe the obvious conclusion that you can’t really improve, if you don’t measure where you stand. So it’s critical to have a system in place, a methodology to measure digital trust holistically.

Samuelson: Every organization is sort of a different size and shape, so their ability to do some of this work is going to be at different maturity levels. But there’s a lot of small to medium-sized businesses in the world that drive our economy. And some of these aspects in these various domains are all on the shoulders of one IT professional. And so having an understanding of where you are in a maturity level allows you to focus on where you need to put your energy.

Large companies might be well covered under cybersecurity, but might not have some of the collaboration activity going on. So I think there’s value to this maturity measurement as well.

And so the fifth thing is a simple one: that digital trust is a journey, and that trust must be assured and earned every day with every digital interaction. That’s kind of old-fashioned in a way. I mean, every day you have to earn the trust of your customer. And in a digital world, you need to earn the digital trust of your customer. So this is not a one-and-done goal.

Bischoping: I love that. You know, I’ve worked in those environments where I’ve been part of those small teams, and you really do have to build the relationships across the business to create that foundation to get toward security. So I love these key takeaways that you call out.

So now, we’ve talked a little bit about how trust gets built, but can we also talk a little bit about how a company would measure digital trust?

Samuelson: Well, it’s a great question. We’re developing a framework as an association of digital trust professionals to try to help build sort of a best-practice understanding of what it might look like across these domains. And I think that’s an important reason for associations like ours to exist: to bubble up from the practitioners what’s important around this and gather the knowledge base that helps organizations and the people who have this responsibility know what great looks like and know where they are on that maturity scale.

Bischoping: I’m definitely drawing a lot of parallels between some of the other functionality within IT ops and security that tie into this whole building of trust. So you have your frameworks and your solid foundations that you have to build, and then you can layer continued improvement on top of that until you reach your mature goals.

Let’s talk about the foundation then. If I am an organization wanting to start assessing my digital trust, what are the things I can do immediately or quickly to improve it?

Dimitriadis: I think it all starts with implementing the right framework. And this goes back to what David said about this brand-new approach to digital trust that ISACA is introducing. But I think it’s as a first step, I think it will be worth making sure that in those domains or divisions, departments we mentioned, it’s hugely important to have people who can interpret the more technical, related results, in relation to digital trust, to business ones. Because at the end of the day, from a business point of view, trust has to do with the stakeholders of that business—the customers, the board, the shareholders, the employees, with the partners.

So, I think this interpretation from a more technical to more business way of measuring digital trust, is hugely important to be able to draw conclusions. Because measuring is about drawing conclusions and improving, right?

Samuelson: And Melissa, you mentioned small organizations, I think the critical thing for them is to know where to start.

There’s a lot of focus right now on cybersecurity, as there should be. We have a lot of vulnerabilities, and if you’re a small company, that could put you out of business, and maybe that’s the first thing you need to focus on, but it may not be sufficient in the long haul. And so prioritizing the things that should be focused on in, let’s say a framework of activity, getting to that first priority—I think of the sort of agile methodology of backlog grooming. You want to know what things can get done now in the first sprint, and then what will I do in the next sprint, and keep getting better.

So I think priority and methodology are useful tools to help people figure out what to do first.

Dimitriadis: And I might add, I think it’s very important to start measuring digital trust on the supply chain because many small to medium enterprises depend on their supply chain in order to offer their products and services.

So at ISACA since we strongly believe that digital trust is about the overall digital ecosystem, it’s very important to focus on the partners and on the overall supply chain in order to be able to bring results more quickly, as a first step toward implementing digital trust.

Samuelson: It’s a great point, and SolarWinds is a great example of that.

But even a decade ago when Target had a breach, it was a supplier problem, but Target got blamed.

You know, when Apple started the marketplace for app developers, it was less trustworthy until Apple could step in and put in some controls to make sure that we all could believe in Apple again. So I think it’s a really important point about the whole ecosystem.

Bischoping: So as I’m going through this conversation, I had a thought, we talk a lot about how security is not compliance, compliance is not security—like, just because you’re checking the box on compliance doesn’t mean you’re secure, and just because you’re securing things doesn’t mean you’ll pass an audit.

Would it be accurate to say that digital trust is sort of a state you can reach when security and compliance are working holistically together, in harmony instead of in those silos? Is digital trust what happens when compliance and security are truly united for positive change?

Samuelson: I think that’s very well said, Melissa. And it’s part of what’s at the heart of our work, cuz we’re interested in the personality of this activity as much as the activity itself.

We talk in IT a lot about people, process and technology, and it’s often the people side that doesn’t get as much attention—for example, IT professionals aren’t necessarily trained to argue their point of view in the C-suite, or to find a collaborative way to work with their colleagues to get something accomplished. So our community has talked about this for some time, and in this digital trust framework, we’re very focused on what that means and what would help them make that argument.

That’s partly why we put it in business terms, but you used the right word. It’s sort of that holistic approach to achieving digital trust that matters. Chris, I know you’re passionate about this…

Dimitriadis: Yeah, I would like to build upon that in regards to other domains—audit, for example, because you can’t really be successful in cybersecurity if you don’t have a very strong audit term. The same applies for risk management; if you don’t master risk management from a business point of view, again, you can’t be successful in cybersecurity. The same applies with privacy. You can be fantastic in terms of cybersecurity, but that doesn’t mean you won’t be facing a privacy breach. And ethics, even if you have the perfect organization in these other domains, if it’s not according to ethical expectations of customers, that organization can really hurt, uh, its, uh, its brand.

The holistic approach is important, because if we don’t bring everything together, we won’t be able to enjoy the real benefits of digital trust.

Bischoping: I’ve been talking with David Samuelson, the CEO of ISACA, and Chris Dimitriadis, its chief global strategy officer.

If you’d like to read more about their 2022 Global Survey on Digital Trust, check out the link in the show notes, or you can learn more on the subject on Tanium’s online cyber news magazine at Tanium.com. To hear more conversations with top security leaders, make sure to subscribe to Let’s Converge on your favorite podcast app, such as Apple Podcasts and Spotify. If you liked this episode, please give us a five-star rating.

Thanks for listening, and we look forward to sharing more cyber insights on the next episode of Let’s Converge.